Functional Safety Engineering 


__= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


SIL Verification 


Slide 6 - 1 


__= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


Types of Failures - Recap 


= Sub Systems can fail because of: 
= Random hardware failures 
= Common cause hardware failures 
= Systematic failures 


= Any of these failures drives the SIF into a specific state: 
" Safe failures A, = Safe undetected failure rate A,,, 
+ Safe detected failure rate A,, 
= Dangerous failures Ay= Dangerous undetected failure rate Ay, 
+ Dangerous detected failure rate Ay, 
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Systematic Failures - Recap 


" Definition: A hidden fault in design or implementation such: 
= Software design 
" Specifications 
= Operating manuals 
= Maintenance or test Procedures, etc 


= IEC 61508 approach: 
= Measures to avoid systematic failures ((tables in 61508-2/3 Annex A/B)) 
« Probabilistic calculations for Software can be done (61508-7 Annex D) 
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Hardware Verification Approaches: 


« IEC 61511-2 approach: 
" Follow Methodology in IEC 61508-2 & 3 Annex B for hardware systematics 
" Hardware Verification — IEC 61508 or ISA simplified approach allowed 


= IEC 61508-6 approach: 


" Techniques and Measures to control systematic hardware failures (tables in 
61508-2/3 Annex A/B) 


« Hardware Verification (PFD or PFH Calculation) 


" ISA-TR84.00.02-2002 approach: 


« Detailed Technical Report on 5 Parts - Simplified Equations, FTA, Markov 
Analysis 
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Random Hardware Failures - Introduction 


The Bathtub Curve & Assumed Constant Failure rate 


Burn-in Useful Life Wear-out 


Overall Curve 


Failure ; 
Rate Random Failures 
\ i Y 


: Early failures Wear-out failures 
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Simplified Exponential Distribution - Background 


¢« IEC 61508 / 61511 equations assume a Constant failure rate = i 
¢ Therefore the exponential distribution can be simplified to - 

¢ Reliability rate — R(t) = e**t 

Unreliability rate — F(t) = 1- R(t) 

Unreliability rate — F(t) = 1-e*t (Cumulative Probability of failure) 


If At is small (<0.1), then 1-e*t approximates to At 


F(t) For a detailed discussion 
of the simplification refer 
to Reliability, 
Maintainability & Risk” 
Smith — ISBN 
978-0-7506-6694-7 


Probability —>» 


Time —~> 
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Cumulative Probability of Failure - Linear Assumption 


Cumulative 
Probability 
of failure 


ee eae EN OTP EE Mt ea OE EE ERECT RRA TT 


F(t) F(t) = 1 - e-Adt 


Ag st << 


Time t 
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The effects of Stress on component Failure - Background 


The probability of failure changes under different stress conditions: 


bi «(een eee 


stress! 
normal 
low strain 


MTBF MTBF MTBF t 
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Considering the Mean Time To Repair (MTTR) 


REVEAL ACCESS DIAGNOSE SPARES REPLACE 


CHECK | ALIGN 


REPAIR 


a) LOGISTICS 
AND 
Slide acknowledgement: Technis pOMIN 
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Considering the Mean Repair Time (MRT) 


MRT does < 
not include +—— Down 
the time to 
detect the | | | | | 

failure | 

ACCESS DIAGNOSE SPARES REPLACE CHECK ALIGN 
REPARE_ AAA __$_$? > 
‘ LOGISTICS eee 
AND 
Slide acknowledgement: Technis ADMIN 
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Considering the MEAN DOWN TIME (MDT) 


Of any unit: 
MRT + (Proof Test Interval)/2 


| | 
1 


Of a System with two Redundant Units: 


MRT + (Proof Test Interval)/3 
| 


1 2 
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Definitions - Unavailability and Availability - Background 
For a 1001 System - 10 yrs MTBF; annual proof test interval (PTI) means: 
Assume 1/MTBF = A (when << 1) = 1/10 = 0.1 
MDT = MRT + PTI/ 2 = 0.5 (Assuming MRT is small e.g. 4 hours) 
Thus Unavailability = 0.5 yr x 0.1 pa = 5% = PFD =0.05 
Unavailability = A MDT (Approximation when a is small) 
UNAVAILABILITY is similar to PFDavg 
NB: actually A MDT / (1 + A MDT) (For when A is large) 
NB: Availability = 1 — Unavailability 
NB: Availability = MTTF / (MTTF + MTTR) 
NB: MTBF = MTTF + MTTR 
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Understanding Types of Failure Rate Data 
= Generic Data 
" Industry specific data 
« Site specific data 


The type of data used affects the accuracy of the prediction 
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Examples of Failure Data Sources 
= US MIL Handbook 217 
» UK BT HRD 
= Lees “Loss Prevention in the Process Industries” 
=» AlChemE — Process Equipment Reliability Data Book 
= OREDA, PDS, SINTEF Data Book (Offshore) 
= Exida Safety Data Handbook 
= Manufacturers FMEDA Reports 
= UK MoD Def Stan 00-41 
=" UKAEA (SRD) 
= Faradip 
= Various Consultants data banks RMC, DNV, DJS 
= SN 29500 
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Example of using Failure Rate Data - Faradip 


PER MILLION HOURS 


Gas pellister 1010(fail .003) 


Detector smoke ionization 


Detector ultraviolet 


Detector infra red (fail .003) 


Detector rate of rise 


Detector temperature 


Detector flame failure 


Detector gas IR (fail .003) 


Failure modes (proportion) 


Rate of rise Spurious 0.6 Fail 0.4 


Gas pellister Spurious 0.3 Fail 0.7 


Infra red Spurious 0.5 Fail 0.5 


Smoke (ionize) & UV Spurious 0.6 Fail 0.4 
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Estimating Confidence Levels for Failure Data 


“Reliability, Maintainability & Risk” Smith — ISBN 978-0-7506-6694-7 


= Smith proposes rules of thumb for estimating the 
confidence level for: 


= Generic Data 
« Industry specific data 


« Site specific data 
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Increasing Confidence Levels when Using Generic Data 


PREDICTED A 
60% 


ACHIEVED A 
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Increasing Confidence Levels when Using Industry Data 


PREDICTED A 
60% 


ACHIEVED A 
<— 
A122 
—_— | 
Slide acknowledgement: Technis a4 
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Increasing Confidence Levels when Using Site/Company Data 


PREDICTED A 
60% 


ACHIEVED A 
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Failure Mode, Effect Analysis 
(FMEA) 
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Failure Modes and Effect Analysis (FMEA) 


= Purpose — to study the results or effects of item failure on system 
operation and to classify each potential failure according to its severity 
= First formal applications in1960 in the aerospace industry 
= First of all it is a design technique 
= But is also a verification technique 
= |t can be used for products, systems and processes 
= Is a single failure mode analysis technique 
= Does not consider multiple failures at the same time 
= Common cause or systematic failures are not addressed 


= Is a bottom-up technique 
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FMEA can be adjusted to the problem or needs at hand 


" FMEA - Failure modes and effects analysis 
= Basic technique (BS EN 60812) 
* DOD MIL-STD-1629A 
" FMECA - Failure mode, effect, and critically analysis 
= Functional FMEA 
« Maintenance FMEA 
= Process FMEA 
" Software FMEA 


" FMEDA - Failure modes, effects and diagnostic analysis 
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FMEA Process 


= ProSalus 


SAFETY CONSULTANTS 


The following steps are important 

" Define the system and scope of the analysis 

« List all sub systems and components 

« Identify failure modes 
= Determine rates of occurrence 
= Determine Locatability 

" Identify effects of failure 
= Determine severity 
= Determine detectability - Locatability - Fault Coverage (FD/FL) 
" Criticality Analysis 
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Example Failure Mode & Effect Aanalysis 


Severit 


Functional Safety Engineering 


Classit n 
Fault leading to an Unsafe Failure which is not detected by the system diagnostics 
Fault leading to an Unsafe Failure which is detected by the system diagnostics 
Fault leading to a Safe Failure which is not detected by the system diagnostics 
Fault leading to a Safe Failure which is detected by the system diagnostics 


Identification Function Failure Operational Failure Effects Detection’ ‘Compensating Severity Remarks 


Modes 


Mode 


Local End 


Method 


Provisions 


Class 


Temperatura Contralied Raferance| 
Coils 


Fibre Sich 


Provide reference agains 
Which measured values 
can be compared 
"Aiows single laser to 
‘connect to mutiple fibres 


Fibre Break 


Sach ary 


Normal 


Norman 


No Profi Thoorrect Trace 


Source atonuated | Degraded trace 


Tormal operation reporis break 
‘and location 


“GA Zone alocatea Tor Signal? 
Noise ratio above threshold 


Redundant DTS 800 Ma Unit 


Redundant OTS 600 Ma Unt 


Rlaquires replacement of Optios Modula, One 
instance in faut reports, 


Tnitean be deaned 


Recaver 


Datecis Back sattared 
light 


Surface Degradation 


Narmal 


Redaction i output | Degraded Trace 


[GA Zone allocated for Signal Level 
Below threshold 


Redundant OTS 800 Ma Unit 


Tong term gradual fare 


Taser ine AOD) 


[Generate Light source for 
transmission through fibre} 


Reduction in Power 


Normal 


Source alienuated | Degraded Trace 


‘GA TZone allocated for Signal? 
Noise ratio above threshold 


Redundant OTS 800 Ma Unit 


Tost recorded Tau 


‘ROD Diver 


Provides pulsing function 
of laser 


Theorreci PUSS 
Believable 


Narmal 


Case to correat 
‘emission profile 


Potential error 
temperature value 


“GA Zone allocated to monitor 
Standard Deviation. Periodic 
Function Tost, 


Redundant OTS 800 Ma Unit 


Thdlude trace analysis for this faultin periodic site 
Function Test. 


Breakout PCE 


Tan Amp 


Provides power 
istrbution for Optics 
Module 
"Amplties Optics Module 
‘output for processing 


Taoarrect Valage fa 
other circuits 


Troarrect Gan 


Narmal 


Module supply out af 
spec 


Degraded Trace 


Trcarrectsignalto | incorrect Trace 


Averager 


‘GA Zane allocated for Signal 
Noise ratio above threshold 


(GA Zone alocated Yor Signal Level 
Below threshold 


Redundant OTS 800 Ma Unit 


Redundant OTS 800 Ma Un 


Tost sersilive module is processor which will shut 
<down switching outputs to safe state. 


‘Does not fect reported values, but signal could be 
biased. Detectable during periodic FunctionTest. 
Reference signal offset as per measured signal 


“Temperature Control PCB 
‘Assembly 


Controls temperature of 
laser, receiver, reference 
‘call and AOD. 


“Temperature sensor 
fault 


incorrect contra lavayOn Raf Gal, ace wil 
be offset 


Functional Test by applying shack 
low temp to field sensor. 


Redundant OTS 800 Ma Unit 


Trip threshold is against an absolute level. This fault 
could mean that the absolute threshold is not reached} 
therefore no trip. However, there are no reports of 
this failure mode in faut records. 


Optics Interface PCB Assembly 


Gain and offset to main 
‘amp plus HV supplies to 
APO's 


Tcorrect gain & 
offset to Main Amp, 


Narmal 


Thcorrect signal to | Incorrect Trace: 


‘Averager 


[GA Zone alooated for Signal Level 
Below threshold 


Redundant OTS 800 Mid Unit 


‘Does not affect reported values, but signal could be 
biased. Detectable during periodic FunctionTest 
Reference signal offset as par measured signal 


“verager POB Assembly 


‘ocumulatas data and 
generates average 


‘AID Converter Fail 


Narmal 


No Output Na Wace 


‘GA Zone allocated for Signal 
Noise ratio above threshold 


Redundant OTS 800 Ma Unit 


Power Supply Provides power &@ —] —Ouiput Toa Low Normar Some Modules | DegradedarNo | AlarmThandoff rom UPS to sea | UPS win battery pack Redundant 
regulation fo system Failing Trace interface. QA Zone allocated for DTS 800 Mé Unit 
modules ‘Signal! Noise ratio above 
threshold 
Wemary POB Assembly Siores OS, Application | Data Corrupted Normal Wrong results | Inconsistent Data, | GA Zones set up for inconsistency] Redundant Unt 7 
‘and data, incorrect operation of checking 
relays 
Processor PCB Assembly | Perform mathematical | Incorrect Calculation Narmal Thcorrect result | Inconsistency in| GAZone detects abnormal race. | Redundant OTS 800 NM Unit z Project uses redundant pai One processor in error 
‘analysis on returned Trace would lead to discrepancy between units detected by 
signals, safety logic solve, but possibly only when trip 
condition occurs. 
‘Ouiput Mode Provide powered cuipuls | Contacis sick closed| Narmal Failte open on | Faure to ansfer | voling In comparison with Redundant DTS 800 Na Uni. 7 ‘Original om-board relays now removed and replaced 


to interposing relays to 
external logic solver, 


demand from 
processor 


status to safety 
system 


redundant 800 DTS system in 
external safety logic solver. 
[Comparison with fault relay status. 


Selection of relays with low fal rates 


by external high quiaty relays incorporating Hermeti 
‘seal and gas filed can 
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Fault Tree Analysis 
(FTA) 
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WHAT IS FAULT TREE ANALYSIS 


« An analysis method to identify causes for an assumed failure (top 
event) 


= Deductive method — focuses on top event 
" Logical structure 
= Considers Equipment failures & Human errors 
= Identify possible causes for a system failure 
= Predict: 
" Reliability 
" Availability 
« Failure frequency 
« Identify system improvements 
« Predict effects of changes in design and operation 


Slide 6 - 26 


Copyright ProSalus Limited 2011 13 


Functional Safety Engineering 


__= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


Fault Tree Symbols 


TOP Tank Over Spill 
INTERMEDIATE No High Level Alarm « Basic event data are 
normally failure 
frequencies. 
= Conversion to 

BASIC Pr See anes probability depends on 

whether failure is 
(as) revealed or unrevealed. 


Slide 6 - 27 


__= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


Fault Tree Symbols- 2 
LOGIC GATES: 


OR gate 

fal Output occurs if any of the input events happen 

AND gate 
Output occurs only when all the input events 
happen 

TRANSFER gate 

/\ Indicates that part of this fault tree is developed 
elsewhere 
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AND gate example 


Fire or explosion 


a 


Ignition source 
present 


O) ©) O) 


Output event occurs only when all the input events happen 


Fuel present Oxygen present 
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OR gate example 


High Level Trip 
Failure 


led 


Sensor Failure Switch Failure 


Output event occurs in any of the input events happen 
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The FTA Process 
STEP 1 - System Definition 
STEP 2- Understanding the system 
STEP 3- Defining the top event 
STEP 4- Constructing the fault tree 
STEP 5- Qualitative Analysis 
STEP 6- Gather failure rate data 
STEP 7 - Quantitative Analysis 
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The FTA Process- 2 


Step 1 - System Definitions 
= Mark-up system drawing and check off items 
= Initial equipment configuration 
= Which valves open/closed / Which pumps on/off? 
Step 2 - Understanding the System 
= Un-allowed events (considered not possible) 
= Existing events (considered certain) 
= Other assumptions 
Step 3 - Top Event Identification 
= Requires precise definition - Use HAZOP, FMEA, experience etc 
= Vague or poorly defined top events often lead to a poor analysis 


= Example: - ‘Compressor Fire’ is too general use ‘Fire in the oxygen 
compressor enclosure during normal operation’ is good 
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The FTA Process - 3 


Step 4 - Fault Tree Construction 
« Begin at top event 
= Determine the intermediate faults/causes that result in the top event 


« Ifthe basic causes can be determined immediately from the top event 
then the problem is too simple for FTA 
« Identify the logic gate that defines the relationship of those causes to the 
top event. 
" HOW FAR TO GO? 
= A branch is of no further interest 
= A branch is known to have very low probability 


= You have reached the stage of individual component failures for which no data is 
available 
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The FTA Process - 4 


STEP 5 - Fault Tree Reduction (Qualitative Analysis) 


A cut set is any combination of basic events which will cause the top 
event. 

Cut sets are calculated by Boolean algebra (for complex fault trees many 
thousands of cut sets may be produced — therefore only simple trees are 
produced and quantified by hand?. 


Cut sets are used to quantify fault trees. 


1st Order - 1 Event causes top entry 
2-4 Order—- 2 Events needed top entry 
39 Order - 3 Events needed top entry 
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Boolean Algebra 


1. AND (Aand B)=A.B 
2. OR (Aor B) =A+B 
3. NOT(A) =A 


4. XOR(Aand B)=A.B+B.A an 
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The FTA Process - 5 


Step 6 — Gathering Failure Data 
= Need data on basic event frequencies/probabilities. 


" Site historical data is preferred when not available take from reliability 
database such as Faradip etc 


« Engineering judgment needed when data is sparse 
Step 7 — Fault Tree Quantification 

" Calculation of top event frequency or probability 

« How often? = Frequency 

= Chance of failure on demand = Probability 
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AND Gate Gate By Gate Calculation 
Frequency = F,P, Probability = P,P, 
: 
I 
Frequency F, Probability Py Probability P, Probability P, Frequency F, Frequency Fy 
OR Gate 
Peet Froener Fy 
* Ee 
an a Ep 
Probability P, Probability P, Frequency F, Frequency = Fy Probability P, Frequency F, 
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Rules For Quantification 


1 All branches must be independent 
2 Decide if top event probability (P) or frequency (F) is required 
3 Obtain failure data and convert to probability if required. 


Revealed Failure: P = F x Repair Time 
Unrevealed Failure: P = 0.5 x F x Test Interval 


4 OR Gates (Add) 
All inputs must be same type as output 


5 AND Gates (Multiply) 
P, x P, =P; F, x P, =F; F, x F, not permitted 
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The FTA Process - 6 


Common Mode/Dependent Failures 
= Quantification assumes all events independent 


= CMF causes a number of things to fail simultaneously 


= CMF can cause serious errors in results if not included in 
fault tree 


" Defeats redundancy and/or diversity 
* Can involve both initiating event and mitigating systems 
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An Example of CMF L~ 


Ve) cen Ao <I 


To Pressure 


* Danger of overfilling tank, with potential to overpressure tank. 
Protect with 3 independent high-level shutdown systems? 


Slide 6 - 40 


Copyright ProSalus Limited 2011 20 


Functional Safety Engineering 


= ProSalus Functional Safety Engineering 
—— SAFETY CONSULTANTS 
P=1e-6 NoCMF 
Effect of CMF cia a P=1e3 With CMF 


+ 


( Common Cause 


Failures 


Pccf = AB 
Level Switch 1 Fails Level Switch 2 Fails Level Switch 3 Fails 
P=0.01 P=0.01 P=0.01 
Slide 6 - 44 
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STRENGTHS OF FTA 
= Widely used 
= Theory well developed 
= Many published texts and papers 
= Large number of engineers trained in FTA 
=" Complimentary information available from: 
" Qualitative and 
= Quantitative analysis 
= Visually easy to understand 
Weakness of FTA 
= Very time consuming 
= Errors if paths missed 
= Error prone if manual 
= Substantial experience needed 
= Poor treatment of time dependence 
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HIPPS Fails 
Spur iously 


[ 
HIPPS 


HIPPS Valve 
Triggers ious C 
0.1 10E+02 


pur ious Cls 
0.106E-01 


Pixts (2003) | | HIPPS Trips SQV (2003) ] | Gate, Val 
Triggers Spuriuas Clo: 
0,236E-02 6.217€-08 | |_Spuriuosly 

\ ; 
8 (prs fe ( VALVE 
ividual | [ Pressure ia Individual | {Solenoid Viv 
PIx Triggers | | (2003) CHE SQV Triggers | | (2003) CHF 
0, 5936-05 0.247E-B7 


' a2. 
Ae Ae 


a | a | 
Pressure Tx | | Pressure Tx | | Pressure Tx | [Solenoid Viv} |Solenoid Viv] | Solenoid Viv 
Safe Safe Safe Safe Safe Safe 
Foilure Foilure Failure Failure Failure Failure 
( PTG31A ( PT@siB SOV_A } (ns) (2) 


FTA SIL Verification Example 
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Architectures for 
Low Demand mode of Operation 


Based on ISA.TR84.00.02-2002 
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ISA TR 84.00.02 (Part 1 & 2) Simple Formulas— Basic of terms 


B The fraction of undetected failures that have a common cause 
Apecr BAp 
Ap Dangerous failure rate 
App Detected dangerous failure rate 
Apu Undetected dangerous failure rate 


MTTR Mean time to repair 

PFD,jyg Average probability of failure on demand 
T; Proof — test interval 
As Safe failure rate 


DC Diagnostic Coverage DC = App/Ap 


Tig Auto Diagnostic Test Interval 
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ISA TR 84.00.02 (Part 1 & 2) Simple Formulas - Approximation 


1001 1002 1003 2002 2003 
PFDavg AAMgT; Yah eT? VAN i gl, ACT? 
STR hs 2); 3A; 2\,-MTTR 6A,2MTTR 


Ag = Dangerous failure rate Table showing the most basic simple 


formula’ s. 
A, = Revealed failure rate These formula’ s do not take into account: 
T, = Test interval *Test coverage factor 
*Maintenance interval 
MTTR = Mean Time to repair *Test duration 
*Override during repair 
*CCF (Beta Factor) 


«Systematic failure rate 
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o SIF Failure Modes = 
Safe Failures Dangerous Failures 
Spurious Trip Rate Dangerous Failure Rate 
Ag = 1/MTBFsp Ap = 1/MTTF) 
MTBF=MTTF+ MTTR | hp 
Leading to Loss of Production pp Anu 
: Detectable Undetectable 
Trips plant unless b 
2003 or 2002 voting . y ; except by manual 
Diagnostics proof testing 
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Allocation of Formulae for 
é Single Channel 
Overt Failures Covert Failures 
Spurious Trip Rate Dangerous Failure Rate 
As = 1/MTBFs Ap = I/MTTF) 


Failures/yr = As Failures/yr = Ap 


Diagnostic Coverage 


DC = App/Ay 
fae - Detectable Undetectable 
Trips plant or stays dead 
Ges ides aes ——s By vate) By Manual 
1 channel Diagnostics Proof testing 


PFD pp = (DC x Ap x (MTTR+(Tia/2)) PFDpy = A-DC x Ap) * (Ti/2) 
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PFD.,,, Calculations According to ISA.TR84.00.02-2002 


avg 


The PFD,,, is determined by calculating the PFD for all of the components in each SIF 
loop and combining these individual values to obtain the overall SIF loop PFDayg value. 
This is expressed by the following: 


PFDg); = PFD, + ZPFD,, + =PFD;; 


Where, 
PFD,, is the final element PFD,,, for a specific SIF, 
PFDgis the sensor PFD,,, for a specific SIF, 
PFD,<is the logic solver PFD.,,; 


PFDgj- is the PFD,,, for the specific SIF in the SIS. 
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Determining the PFD,,, (ISA.TR84.00.02-2002) 


The procedure for determining the PFD,,, is as follows: 


1.ldentify each sensor that detects the process condition that could lead to the 
event the SIF is protecting against 


Only those sensors that prevent or mitigate the designated event are included in 
PFD calculations. 


2.List the MTTF°¥ for each sensor. 


3.Calculate the PFD for each sensor configuration using the MTTF®°Y and the 
appropriate equation with consideration for redundancy. 
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a i SAFETY CONSULTANTS 


System Equations (ISA.TR84.00.02-2002) 


The following equations cover the typical configurations used in SIF 
configurations. To see the derivation of the equations listed, refer to ISA— 
TR84.0.02—Part 5. 
Converting MTTF to failure rate, A: 
AOU = 1 \ MTTFOY 

Equations for typical configurations: 

1001 PFDay, = [APY x TI/2] + [A°, x TI/2] 
Where  A?U is the undetected dangerous failure rate 


0. is the dangerous systematic failure rate, and 
Tl is the proof test interval 
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Systematic Failures (ISA.TR84.00.02-2002) 


ISA equations model the systematic failure AD- as an error that occurred during the 
specification, design, implementation, commissioning, or maintenance that resulted 
in the SIF component being susceptible to a random failure. 

Systematic failures are rarely modeled for SIF Verification calculations due to the 
difficultly in assessing the failure modes and effects and the lack of failure rate data 
for various types of systematic failure. 

However, these failures are extremely important and can result in a significant 
impact to the SIF performance, this is addressed through lifecycle process that 
incorporates design and installation concepts, validation and testing criteria, and 


management of change and are intended to to be a defense systematic failures.. 
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1002 (ISA.TR84.00.02-2002) 
1002 - System 


This architecture consists of two channels connected in parallel, such that either channel can 
process the safety function. Thus there would have to be dangerous failure in both channels before 
a safety function failed on demand. It is assumed that any diagnostic testing would only report the 
faults found and would not change any output states or change the output voting. 


@—_ Channel 


@——_ Channel 


1002 physical block diagram 
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1002 (ISA.TR84.00.02-2002) 
PFDayg = [((1-B) x APY)2x TI2/3] + [(1-B) x APU x APO x MTTR x TI] + [B x APU x TH/2] + [A x TH2] 


For simplification, 1 — B is generally assumed to be one, which yields conservative results. 
Consequently, the equation reduces to 


PFD yg = [(ADY)? x TI/3] + [APY x APP x MTTR x TI] + [B x APY x TH/2] + [AP x TH/2] 


Where MTTRis the mean time to repair 
°° is dangerous detected failure rate, and 


B is fraction of failures that impact more than one channel of a redundant system (CCF). 


The second term represents multiple failures during repair. This factor is typically negligible 
for short repair times (typically less than 8 hours). The third term is the common cause term. 
The fourth term is the systematic error term. 


Spurious Trip Rate (STR) = Safe failure Rate A, = Safe failure rate channel 1 (A,;) 
+ Safe failure rate channel 2 (A,5) 
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1003 (ISA.TR84.00.02-2002) 


1003 — System 

This architecture consists of three channels connected in parallel, such that either channel can process the 
safety function. Thus there would have to be dangerous failure in all three channels before a safety function 
failed on demand. 


oe _ Channel 
eo _ Channel 
eo _ Channel 


1003 physical block diagram 
PFD yg = [A0U)3 x TH/4] + [APY)? x APP x MTTR x TE] + [B x (APY x TH/2)] + [AP x TH/2] 
The second term accounts for multiple failures during repair. This factor is typically 
negligible for short repair times. The third term is the common cause term and the 
fourth term is the systematic error term. 


Spurious Trip Rate (STR) = Safe failure Rate A, = 3A, 
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2002 (ISA.TR84.00.02-2002) 


2002 — System 

This architecture consists of two channels connected in parallel so that both channels need to demand 
the safety function before it can take place. It is assumed that any diagnostic testing would only report 
the faults found and would not change any output states or change the output voting. 


oe —_ Channel 
T 
; Diagnostics : (re) 
Sena: yoo! 
Vv 
eo—_ Channel 


2002 physical block diagram 


PED, yy = [APU x TI] + [Bx APU x TI] + [AP x TH/2] 
The second term is the common cause term and the term is the systematic error term. 


Spurious Trip Rate (STR) = Safe failure Rate A, = 2A.2MTTR 
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2003 (ISA.TR84.00.02-2002) 


2003 — System 
3 channels in parallel with majority voting such that the output state does not change if only 1 channel changes. 


eo —_ Channel 

a Diag 
eo —_ Channel 
oe _ Channel 


2003 physical block diagram 


PFDayg = [(APY)? x (TI)?] + [3APY x APP x MTTR x TI] + [B x APY x TH/2] + [AP, x TH/2] 

The second term in the equation represents multiple failures during repair. This factor 
is typically negligible for short repair times. The third term is the common cause term. 
The fourth term is the systematic error term. 


Spurious Trip Rate (STR) = Safe failure Rate A, = 6A.2MTTR 
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The simplified equations in ISA.TR84.00.02-2002 without the terms for multiple 
failures during repair, common cause and systematic errors reduce to the following 
for general use 


1001 2002 
PFD yp = APU x TH/2 PFD,,, = APU x TI 
1002 2003 
PFD, y¢ = [PUP x TPY3 PED). =U") x TP 
1003 2004 
PFD,y. = (ADU) x TE Y/4 PFD yg = (APU) x (TI? 
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Implementation 


* Calculating the PFD of the function 


= The PFD of each subsystem/element is calculated 
for (1001, 1002 etc.) for the: 


o Initiator 
o Logic solver 
o Final element 
« The total PFD for the combination is then calculated 
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The Impact of Proof Testing 
The Probability of Failure for 1001 element = “2AqT; 


Therefore if the Proof test interval is increased then the PFDavg 
will also increases proportionally, likewise if the proof test is 
decreased the PFDavg will also decreases proportionally 
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The Impact of Maintenance 
The simplified formula for PFDavg = 72A,T; 


«Assumes that the element is in the “as new condition’ 


*Testing does not cover every aspect (coverage factor < 1) 
= E.g. we do not know the internal condition of a valve 


*Only periodic ‘bench type’ maintenance can bring elements 
back to an ‘as new condition’ 


The PFDavg will increase without routine maintenance 
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The Impact of Imperfect Proof Test and Maintenance 


¢« At the Maintenance Interval the element is maintained and 
returned to the as new condition: 


* For 1001 System: 
PFD, = (AAgT,C + “AgT,, (1 — C)) 


Where: 

Ad = Total unrevealed or dangerous failure rate (per/year) 

Ti = Total interval (years) 

C = The Proof test coverage factor 

Tm = Maintenance interval; interval at which the device is maintained to as 
new condition (years) 
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Example Calculation 


For a simplified 1001 system: 
PFDavg = “2A,T; 


Dangerous undetected failure rate 4 is 10° ht (1 failure in 114 
years) 


Proof test Ti is annual (every 8760 hours), 


So the 
PPD y= 0.5:10°-8760 = 4.38:10°3. 
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Design Example 
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Design Iteration for Target PFD 
Set Target PFD 


Evaluate Solution PFD 


Revise Design 


Acceptable 


Proceed to Detail Design 
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SIS Analysis: Step 1 


Protective System 


Hazard 
Hazard 
Demand Rate D (SIF) H Event Rate 


pee | ree} [ies 
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SIS Analysis: Step 2, identify channels in each stage 


Example:Dual channel sensors and actuators, single channel logic 


sf soe || te ioe 
R ? R 

47 \ l 4\ 
yoy l ~y \ 

\ I 

\ 

\ 

y 


loo2D loo2 
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SIS Analysis: Step 3, expand details for each single channel 
loolD 
\ a ~<L . 
x 
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SIS Analysis: Step 4, work out Ad and AS for the channel 


Transmitter 


Process 
Connection 


mM 


Safe Failure Fraction c 
7 


a 
Safe Failure Rate = AS 


? 
I 


q 


As for channel = As, + As, + AS; 


Tx Failure Rate = Lv 


Cable and 
Power 


de 
x 
x 
- ~ 
Fail to Danger Rate = Ad 
? 
I 
v 


Ad for channel = Ad, + Ad, + Ad, 
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SIS Analysis: Step 5, work out PFDavg for the single channel 


Sensor Channel No 1 
? 


Channel Failure Rate = Ad 
A 


MTTR = mean time to repair 
Tia = auto diagnostic test P 
interval (which is normally very , 
small except for Partial Stroke 7 ~ 
test applications) Pia 

a 


a 
a 
a 
y 4 


PFDa = DC x Ad x (MTTR+(Tia/2) 


Portion detected by auto diagnostics 


PFDavg = 


\ 


S 
STi = proof test interval (for this stage) 


\ 


PFDb = (1-DC) x Ad x Ti/2) 
Portion detected by manual proof tests 


PFDa + PFDb 


Slide 6 - 70 


Copyright ProSalus Limited 2011 


35 


Functional Safety Engineering 


__= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


Beta Factor: Common Cause Failures in redundant SIS channels 


Unit Failures ———>——- Common Cause ————> 
Failures 


Example: 1002 with common cause failure RBD block 
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SIS Analysis: Step 6, find the PFDavg for the 1002D sensor group: Break out 
the common cause failure fraction for the redundant channels and calculate 
PFDavgs for each portion 


B =common cause failure fraction 


Failures common to 
Ch1 and Ch2 sensors 


B Ad 


Common cause section 
PFDavg = 


((DC x Ad)? x (MTTR+Tia)2) ((DC x (B x Ad)) x MTTR) 
+ (((1-DC x Ad) x Ti)2)/3 + ((1-DC x (B X Ad) x Ti/2) 


+ 
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Example 
DC = 70%, Ad = 0.01/yr, MTTR = 48 hrs, Tia = 100 msec, Ti =I yr, 6B = 10% 


B =common cause failure fraction 


saeee 


B ho = hecr 


1002D PFDavg = ((0.7 x 0.01)? x (0.0055)2)+ CCF PFDavg = ((0.7 x (0.1 x 0.01)) x 0.0055) + 
(((1-0.7 x 0.01) x 1)2/3. = 3.00E-06 ((1-0.7 x (0.1 x 0.01) x %) = 1,54E-04 


1002D PFDavg + CCF PFDavg = 3.00E-06 + 1,54E-04 = 1,57E-04 
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SIS Analysis: Step 7, repeat steps 3 to 6 for each stage 


Example:Dual channel sensors and actuators, single channel logic 


Sensor 


Actuator 


Actuator 


loo2D loo2 
PFDavg PFDavg PFDavg 
for + for + for 
sensors Logic solver actuators 
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Example Reducing Spurious Trip Rate 


loo2 


Dual Sensors Spurious 
= (2 x 0.01) + (0.1 x 0.01) 
= 0.021 trips per yr 


2003 Sensors Spurious 

= 6x As? (MTTR)+ B AS 

= (6 x 0.1352 x 8/8760) +(0.1 x 0.135) 
= 0.00001 + 0.0135 

= 0. 01351 trips per yr 
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Example evaluation of Diagnostic Coverage for Valve 


Failure Mode % Contribution % Detection by % Of Dangerous 
to dangerous partial closure test Faults Detected 
failures 
Actuator spring breakage 20 70 14 
or jamming 
Solenoid fails to vent 5 50 2.5 
Positioner fails to trip 5 100 5 
Hoses kinked or blocked 10 100 10 
Valve stem or rotary shaft 40 70 28 
stuck 
Actuator linkage fault 5 _ 70 3.5 
Seating failures of valve 10 0 0 
causing high leakage. Due 
to erosion or corrosion 
Foreign bodies or sludge 5 0 0 
preventing full closure 
Total 100% 63% 
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Design example: SIL 2 single or double valve decision 
Step 1 Single valve with solenoid 


é Actuator and 
SIS | Solenoid valve 


Proof test interval Ti = 1 year 


PFD1 = Ad1 . Ti/2 PFD2 = Ad2. Ti/2 
Ad1 = 0.02 /yr Ad2 = 0.04 /yr 
PFD1 = 0.01 PFD2 = 0.02 


Overall PFD = 0.03 based on 1 year test interval 
Qualifies for SIL 1 only 


Reliability diagram for single tripping valve 
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Step 2 : Reliability diagram for 1002 tripping valves 


Solenoid Actuator and 10% Common 
valve Cause 


Actuator and 
valve 


Solenoid 


SIS 


Ad1 = 0.02/yr Ad2 = 0.04/yr 


Proof test interval Ti = 1 year 


Dn 


‘” id PFD = (Ad1+ Ad2)? . Ti?/3 + 10%. ( Ad1+ Ad2).Ti/2 


(0.06) 2x 1/3 + (0.1.x 0.06) x 1/2 
0.0042 


Overall PFD = 4.20E-03 based on 1 year test interval 
Qualifies for SIL 2 with adequate margin for sensors and logic 


Slide 6 - 78 


Copyright ProSalus Limited 2011 39 


Functional Safety Engineering 


__= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


Reliability diagram for single tripping valve with 
Smart Positioner and Partial Closure Testing 


Aga = 0.001/yr hao = 0.04/yr 
ae 70% Actuator and 30% Actuator and 
valve faults detected valve faults detected ——— 
by partial closure by proof test 
SOV 
Diagnostic test Proof test interval 
Ago = 0.02/yr interval Ti = 1 year 
Tia = 2 weeks 
PFD, = Aga: Agp-Ti4/3 PFD, = .7Ago - Tia/2 PFD3 = 0.3Aqq . TH2 
PFD, = (0.001 x 0.02) x 17/3 PFD, = (0.7 x 0.04) x 0.038/2 PFD, = (0.3 x 0.04) x 1/2 
PFD, = 6.60E-06 PFD, = 5.32E-04 PFD, = 6.00E-03 


Overall PFD = 6.54E-03 based on 1 year test interval 
Qualifies for SIL 2 with adequate margin for sensors and logic 
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Conclusion for design example 


Option 1: 


to meet the SIL 2 target: Install 2 block valves and proof test 
once every 2 years 


Option 2: 
to meet the SIL 2 target: Install 1 block valve with smart 


Positioner PS testing every 2 weeks. Proof test once every 
year. 


NB : Both options must satisfy SIL architecture constraints. 
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Commentary on Diagnostic claims for Valves 


One attraction of high diagnostic coverage is the improvement in safe failure 
fraction. 


Improved SFF allows reduced Fault Tolerance under IEC 61508. If you can 
establish high Safe Failure Fraction (SFF) using a smart Positioner you can 
reduce the number of valves needed to meet a SIL target. 


Responsibility remains with end user to justify reduced FT requirements by 
showing diagnostic coverage and SFF are calculated. Vendors will be keen 
to assist! 


IEC 61508-2 clause 7.4.4.5 should be consulted. See also IEC 61508-6 
Annex C 
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Query: Can Diagnostic Coverage of the valve qualify as improved SFF? 


Answer: Only if test interval does not add significantly to MTTR and 
only if safe response or immediate repair is assured. (see 61508-6 annex B). 


In practice diagnostic test interval must be at least Ti/10 and should be less than 
1 week . (see 61508 annex D table D3). Calculations are required. 


If Yes does this mean we can claim > 90% SFF for the valve subsystem? 
Answer: Yes 
Does this qualify for reduced redundancy? 


Answer: Yes it does if PFD figures are satisfied. 
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SUMMARY 


Commonly manufacturers of components and subsystems have no influence on the 
SIL of the complete safety related system. 


S/L-rating of a subsystem makes no sense — in the best case this is an indicator that it 
would be suitable / has the capability to be part of a S/L rated system. 


Always the PFDavg or PFH of the safety related system has to be calculated. 


Additionally requirements for the avoidance of systematic failures have to be met — 
61508 Systematic Capability. 


The standard requires an assessment of functional safety capability - Management, 
Design, Change Control, Implementation, Competency, Operations & Maintainance. 


Certificates are not mandatory, and there is no law yet requiring SlL-certificates. 
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Practical Exercise No: 2 


SIL Verification Practical 
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Exercise No: 2 — SIL Verification 


Task 1 Calculate the single channel PFDavg and spurious trip rate for the high 
temperature trip example. Draw a single channel reliability block diagram and calculate 
using the failure rates in the table the PFDavg and the spurious trip rate for each sub 
system and the overall system using a proof testing interval of 6 months. 


Assume the system uses 2 relays, 1 relay in the sensor subsystem and 1 relay in the 
logic solver subsystem, The trip actuation uses a solenoid valve and to vent the air 
cylinder on a valve that will drive open and release quench water into the reactor. 


Task 2: Redraw the RBD and calculate the PFDavg and spurious trip rate for the SIF 
using the second diagram showing 3 high temperature transmitters on a reactor 
configured 2003 on the basis of proof testing every 6 months, Beta Factor 10% and 


MTTR of 24 hours. 


The 3 temperature transmitters each transmit to a trip amplifier device that acts as a high 
temperature trip device leading to a single channel actuation as in task 1 
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Table of fault rates for the Devices 


Channel Device 
TE...element 
TT .Transmitter 


Cable/terminals 


Relay (each) 


Solenoid Valve 


Trip Valve 


TSH....trip amplifier/switch 


Fail-safe rate per year Fail -danger rate per year 
0.20 
0.05 
0.00 


0.5 


S 
a 


0.002 
0.02 


S 
a 


Se;el|e all peal Ee 
FILOlo So}ala 
BRILGa = 
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lool Relay trip elie! Drench Tank 
TSH 


Single Channel 
High temperature 
Trip 


Reactor 
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2003 Relay trip a Drench Tank 


aa 


2003 Input Voting 
High temperature 
Trip 


Reactor 
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Architectures for 
Low Demand mode of Operation 


Based on Reliability Block Diagrams 


IEC 61508 2010 Part 6 
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IEC 61508 Part 6 Low demand mode -— Index of terms 

B The fraction of undetected failures that have a common cause 

Bp The fraction of those failures that are detected by the diagnostic tests, the fraction that have a 
common cause (6 = 2 x Bp) 

Ap Dangerous failure rate (per hour) of a channel in a subsystem, equal 0.5 A (assumes 50 % 
dangerous failures and 50 % safe failures) 

App Detected dangerous failure rate (per hour) of a channel in a subsystem (this is the sum of all the 
detected dangerous failure rates within the channel of the subsystem) 

Apu Undetected dangerous failure rate (per hour) of a channel in a subsystem (this is the sum of all the 
undetected dangerous failure rates within the channel of the subsystem) 

MTTR Mean rime to restoration (hour) 

PFDG Average probability of failure on demand for the group of voted channels 

Ty Proof — test interval (h) 

toe Channel equivalent mean down time (hour) for 1001, 1002, 2002 and 2003 architectures (this is the 


combined down time for all components in the channel of the subsystem) 


toe Voted group equivalent mean down time (hour) for 1002 and 2003 architectures (this is the 
combined down time for all the channels in the voted group) 
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IEC 61508 Part 6 — Low Demand Mode 


B.3.2.2.1 1001 — System: Single channel where any dangerous failure leads to 
failure of the safety function when a demand arises. 


—— CHANNEL ;-—— 


ee erice : 


DIAGNOSTICS 


IEC 324/2000 


Figure B.4 - 1001 Physical Block diagram 


dou hp 
e@ T,,=1,/2+ MRT 


dop 
T..=MTIR @ 


tog 


IEC 3235/2000 


Figure B5 — 1001 Reliability Block Diagram 
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1001 — System cont’ d 


Figure B.5 shows that the channel can be considered to comprise of two components, one with a 
dangerous failure rate Ap, & the other with a dangerous failure rate App. It is possible to calculate the 
channel equivalent mean down time to¢, adding the individual down times from both components, t,, 
and t,o, in direct proportion to each component’ s contribution to the probability of failure of the 
channel: 


top = Apy/ Ap (T, / 2 + MRT) + App / Ap MTTR 


For every architecture, the detected dangerous failure rate and the undetected dangerous failure rate 
are given by 


Apu = Ap(1-DC) 5 App = ApDC 
For a channel with down time tog resulting from dangerous failures 


PFD =1-e ce 
= dotcr since Aptco, << 1 


Hence, for a 1001 architecture, the average probability of failure on demand is 
PFDg = (Apu + App) tce 
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1002 Channels 
B.3.2.2.2 1002 - System 


This architecture consists of two channels connected in parallel, such that either channel can 
process the safety function. Thus there would have to be dangerous failure in both channels before 
a safety function failed on demand. It is assumed that any diagnostic testing would only report the 
faults found and would not change any output states or change the output voting. 


@—_ Channel 


IEC 326/2000 


@——_ Channel 


Figure B.6 — 1002 physical block diagram 
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1002 Channels cont’ d 
App 
Anu App 
tor Cc 
: cane tellers | 
tor TEC 327/2000 


Figure B.7 — 1002 reliability block diagram 


Figures B.6 and B.7 contain the relevant block diagrams. The value of tog is as given in B.3.2.2.1, 
but now it is necessary to also calculate the system equivalent down time tge, which is given by 


top = Apy / dp (T,/3 + MRT) + App / Ay MTTR 


The average probability of failure on demand for the architecture is 


PFD, = 2((1 — Bp)App + A — B)Apy)tcatcn t+BpAppMTTR + Brpy (T1 /2 + MRT) 
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2002 Channels 


B.3.2.2.3 2002 — System 
This architecture consists of two channels connected in parallel so that both channels need to demand 


the safety function before it can take place. It is assumed that any diagnostic testing would only report 
the faults found and would not change any output states or change the output voting. 


oe—_ Channel 


T 
Diagnostics 


IEC 328/2000 


oe—_ Channel 


Figure B.8 — 2002 physical block diagram 


dp do 
©: dou dopo e dou do = 


tee tee 


TEC 329/2000 


Figure B.9 — 2002 reliability block diagram 
PFDg = 2rater 
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1002D Channels 


B.3.2.2.4 1002D — System 

During normal operation, both channels need to demand the safety function before it can take place. In 
addiction, if the diagnostic tests in either channel detect a fault then the output voting is adapted so that 
the overall output state then follows that given by the other channel. If the diagnostic tests find faults in 
both channels or a discrepancy that cannot be allocated between the channels, either channel can 
determine the state of the other channel via a means independent of the channel. 


oe—_ Channel 
, eae 
cr . . : 
i Diagnostics ve 
h Diagnostics (—-—-—- > 
rain iexiabaas = IEC 330/2000 
oe —_ Channel 
Figure B.10 — 1002D physical block diagram 
dou Common 
-——— cause 5 ad 
o—_ ten? failure 
dou doo dsp 
ter’ IEC 331/2000 


Figure B.11 — 1002D reliability block diagram 
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1002D cont’d 


The detected Safe failure rate for every channel is given by 
Agp = AgDC 


Figures B.10 and B.11 contain the relevant block diagrams. The values of the equivalent mean down 
times differ from those given for the other architectures in B.3.2.2 and hence are labelled t,,’ and tgp’. 


Their values are given by: 
top” = (py (1, /2 + MRT) + (App + Agp) MTTR) / (Apyt (pp + Asp)) 
tox’ =T,/3+MRT 
The average probability of failure on demand for the architecture is: 


PFD, = 2(1 — B)Apy(1 — B)Apy + (1—Bp)App + Agp) top” top” + 2(I-K) Apptcp” + Bapy (TI /2 + 
MRT) 
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2003 Channels 


B.3.2.2.5 2003 — System 
Three channels in parallel with majority voting such that the output state does not change if only one 
channel changes. It is assumed that any diagnostic testing would report faults only and not change the 


output state. 


oe _ Channel 
Diagnostics! 
oe —_ Channel 
e Channel P= : IEC 332/2000 


Figure B.12 — 2003 physical block diagram 
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Figure B.13- 2003 reliability block diagram 
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SAFETY CONSULTANTS, 
2003 cont’d 


Figures B.12 and B.13 contain the relevant block diagrams. The value of tpg is as given in B.3.2.2.1 and 


the value of tg-is as given in B.3.2.2.2 , The average probability of failure on demand for the 
architecture is: 


PFD, = 6((1 — Bp) App + A — B)Apny)?tcrtoe tBpAppMTTR + BApy (T1 /2 + MRT) 


B.3.2.2.6 1003 — System 

Three channels in parallel with a voting arrangement such that the output state follows 1003 voting. It is 
assumed that any diagnostic testing would report faults only and not change the output state. The RBD 
is as the 2003 case but with 1003 voting with the value of tp¢ is as given in B.3.2.2.1 and the value of tge 
is as given in B.3.2.2.2 The average probability of failure on demand for the architecture is: 


PFD, = 6((1 — Bp)App + 1 - B)ApU*tcrtentcre +*BpAppMTTR + Bapy (T1 /2 + MRT) 


Where 
toop = Apy / Ap (1, /4 + MRT) + App / Ap MTTR 
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